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REMARKS 

Reconsideration and allowance of the subject patent application are respectfully 
requested. 

Claims 1, 2, 5 and 6 were rejected under 35 U.S.C. Section 101 as allegedly being 
directed to non-statutory subject matter. Claim 1 has been amended to recite M [a]n anti- 
malware file scanning computer system." Conforming amendments have been made to 
claims 2, 5 and 6. Applicant respectfully submits that these claims are now even more 
clearly directed to statutory subject matter, not to "software per se" as alleged in the 
office action. 

Claim 1-5, 7-11 and 13-15 1 were rejected under 35 U.S.C. Section 103(a) as 
allegedly being made "obvious" by Roberts et al. (U.S. Patent Publication No. 
2004/0088570) and Gordon et al. (U.S. Patent No. 7,107,618). Applicant traverses this 
rejection for the reasons set forth below. 

For convenience the following comments are made specifically with respect to 
claim 1. However, equivalent comments apply to the other independent claims 7 and 13 
which include corresponding features. 

In summary, there is a fundamental difference between the claims and the applied 
prior art references. In the prior art, the same element (e.g., a webpage) is considered 
twice, once to benchmark, and once to compare, whereas claim 1 considers an element 
once only, and compares it with a master representation. 

For example, Roberts et al. takes an element, e.g., webpage, and tries to check 
later if that same element has been changed. However, the claims do not involve the 
concept of an initial check, followed by a later check to see if a change has occurred. The 
file is only processed (e.g., passed through a scanner) once, and there is no previous 
check. 



Applicant notes that claims 3, 4, 9, 10 have previously been canceled without prejudice or disclaimer. 
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To compare claim 1 to Roberts et al. would be the equivalent of Roberts et al. 
storing one URL in the database, then later on saying that a second URL, pointing to a 
different page on a different web server, actually contains an infected page derived from 
the page stored at first URL. There is no way that Roberts et al. can be stretched to this 
interpretation. 

Gordon et al. also takes an element - a file - and tries later to check whether the 
same file has been changed. To compare claim 1 with Gordon et al. would be the 
equivalent of Gordon et al. creating a certificate saying that the contents of one email are 
safe, then somehow later saying the contents of a different email, on a different network 
are infected because they contain a changed copy of the certified email. Again, there is 
no possibility of interpreting Gordon et al. in this way. 

In the prior response, Applicant, among other things, identified four points of 
novelty. The current office action concedes that Roberts et al. fails to disclose the first 
point of novelty (i.e., processing performed in respect of executable programs) and 
Gordon et al. is now cited to allegedly remedy this deficiency. However, even assuming 
(without agreeing) that Gordon et al. discloses executable programs, the proposed 
combination is still deficient with respect the other points of novelty. Indeed, there is no 
allegation in the current office actitin that Gordon et al. provides any teachings relevant to 
these other novel features. 

In particular, the third point of novelty mentioned in the prior response relates to 

the fact that feature b) of claim 1 has two separate elements. For reference, feature b) of 

claim 1 is set forth below with labels bl) and b2) for convenient reference: 

means for processing a file being transferred between computers, the means 
b) comprising: 

bl) a file recogniser operative to determine whether the file being processed 
is an instance of a known program by checking the contents of the file being 
processed for the presence of said at least one characteristic signature associated 
with the said instances; and 
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b2) a difference checker operative, in the case that the file recognizer 
determines the file being processed to be an instance of a known program, to 
check whether the file is an unchanged version of that known program. 

The elements bl) and b2) are separate. Element b2) is operative in dependence on 
the determination of element bl). In particular element b2) is operative only if element 
bl) determines that the file is an instance of a known program. 

The fourth point of novelty is to signal the three different outcomes of the two 
separate elements bl) and b2), as follows. 

First, if the outcome is that clement bl) determines that the file is not an instance 
of a known program, feature c) is to signal that the file is of unknown status. 

Second, if the outcome is that element bl) determines that the file is an instance of 
a known program and that element b2) determines that the file is an unchanged version, 
feature c) is to signal that the file is likely not to be malware. 

Third, if the outcome is that element bl) determines that the file is an instance of a 
known program and that element b2) determines that the file is a changed version, feature 
c) is to signal that the file is likely to be malware. 

Neither Roberts et al. nor Gordon et al. discloses elements meeting the 
requirements of features b) and c) as recited in claim 1 . 

In particular, Roberts et al. discloses a process having two elements. In step 42 of 
Fig. 6 (paragraph [0036]), Roberts et al. determines whether a requested address (URL) is 
stored in the database. Step 50 of Fig. 6 (paragraph [0037]) is performed in dependence 
on the outcome of step 42, i.e., if step 42 determines that the requested address is stored 
in the database. In step 50, it is determined whether the webpage at the requested address 
has changed by comparing the checksum of the actual webpage with the stored 
checksum. 

With hindsight, one might attempt to view step 42 (determining whether the 
requested address is a known address) as being similar to element bl) (determining 
whether the file being transferred is a known file). Therefore, a first approach to attempt 
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to read Roberts et al. onto claim 1 is to attempt to read step 42 of Roberts et al. onto 
element bl) of claim 1, and to read step 50 of Roberts et al. onto element b2) of claim 1. 
However, with this first approach there is no lack of novelty because step 42 of Roberts 
et al does not read onto element bl) of claim 1. Step 42 of Roberts et al. involves 
comparing a requested address with addresses stored in a database. This does not meet 
the requirement of element bl) of "checking the contents of the file being processed for 
the presence of said at least one characteristic signature associated with the said instances 
[defined in feature a) as being stored in the database]". 

Presumably because of the failure of this first approach to reading Roberts et al, 
the current office action takes a second approach in which it is attempted to read a 
combination of steps 42 and 50 onto element bl). This is evident from the recitation in 
paragraph 5 of the office action where, in respect of element bl) of the file recogniser, the 
office action relies on paragraph [0037] and the comparison of the checksum. This is 
also evident from the Response to Arguments in paragraph 6 where the office action 
asserts that "the checksum [of Roberts et al.] is the claimed characteristic signature," i.e. 
element bl) of claim 1. 

However, with this second approach there is also no lack of novelty for two 
reasons. 

The first and most significant reason is that if steps 42 and 50 in combination are 
read onto element bl), there is no further step which can be read onto element b2) of 
claim 1. If step 50 of Roberts et al. is read onto element bl), Roberts et al. does not have 
any further element meeting the requirement of element b2). As previously mentioned 
clement b2) is defined as an element operative when element bl) determines that the file 
is not known. Step 50 of Roberts et al. cannot constitute both element bl) and element 
b2) which performs a further process dependent on the determination of element bl). 

This point that feature b) comprises two elements was made in the prior response 
in relation to the third point of novelty. Applicant notes that this point is not specifically 
addressed in the Response to Arguments in paragraph 6. 
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The second reason why the second approach fails to demonstrate a lack of novelty 
is that, in any event, step 50 of Roberts et al. does not read onto element bl). This is for 
the reasons set forth regarding the second point of novelty in the prior response. 
Applicant respectfully submits that these reasons have not been overcome by the current 
office action. 

Element bl) of claim 1 recites "a file recogniser operative to determine whether the 
file being processed is an instance of a known program by checking the contents of the 
file being processed for the presence of said at least one characteristic signature 
associated with the said instances" (emphasis added) is novel. The point made previously 
is that the requirement to check the "contents of the file for the presence of said at least 
one characteristic signature" is not met by step 50 of Roberts et al. of checking a 
checksum of the file under consideration against a stored checksum. A checksum is a 
value dependent on the value of each data element in the file and a checksum changes if 
any data element of the file changes. Comparison of checksums simply involves 
comparison of two values. Therefore comparison of checksums as in Roberts et al. does 
not constitute checking for the presence of a signature in the contents of the file as in 
claim 1. 

This point is discussed in the Response to Arguments in paragraph 6 by stating (1) 
that "Roberts teaches a checksum of the Internet web pages that are pre-emptively 
scanned and stores the URL and checksum ...in the database. . . for comparison of the file 
being processed" and (2) "the file being processed is compared to URL then checksum", 
and then by asserting that "the checksum is the claimed characteristic signature used to 
determine whether the file has changed." While points (1) and (2) may be an accurate 
characterization of Roberts et al., this fails to demonstrate that a checksum comparison 
meets the requirement of element bl) of checking of the contents of the file for the 
presence of a signature. 

Applicant additionally notes that in paragraph 5, the office action omits the 
recitation in element bl) of "by checking the contents of the file" when setting out the 
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features known from Roberts et al. so it is not even set out in the office action that this 
part of element bl) is known from Roberts et al. 

Applicant also respectfully submits that the assertion in the Response to 
Arguments in paragraph 6 that "the checksum is the claimed characteristic signature used 
to determine whether the file has changed" muddles up elements bl) and b2) of the 
claims. Element bl) relates to the use of a characteristic signature. Element b2) relates to 
determination of whether the file has changed. The claims do not use the characteristic 
signature to determine if the file has changed, as asserted by the Examiner. 

Applicant believes the differences between the applied references and the claims 
has clearly been demonstrated. In short, the distinction is not simply the processing of 
different things, e.g., an executable file in the claims and a webpage in Roberts et al. The 
distinction also involves a different form of processing, as discussed above. Furthermore 
despite some superficial similarity between the claims and Roberts et al., there are 
significant differences in processing. In Roberts, latency is reduced by pre-emptive 
scanning of webpage, so a changed, known web page is simply treated as an unknown 
webpage and subjected to further scanning. In contrast, the claims utilize the principle 
that a changed, known file is suspicious and so signals that the file is likely to contain 
malware. This is a different signal from that for an unknown, which is signaled as being 
of unknown status. This principle is not taught or obvious from Roberts et al. or Gordon 
etal. 

The remaining dependent claims 6, 12 and 16 are rejected based on proposed 
combinations of Roberts et al. with Wu et al. (U.S. Patent No. 5,617,533) or Chao et al. 
(U.S. Patent Publication No. 2004/0128355). These other references do not remedy the 
deficiencies of Roberts et al. and Gordon et al. with respect to the independent claims and 
thus Applicant submits that claims 6, 12 and 16 patentably distinguish over the 
combinations of art proposed in the office action. 
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The pending claims are believed to be allowable and favorable office action is 
respectfully requested. 

Respectfully submitted, 



NIXON & VANDERHYE P.C. 
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901 North Glebe Road, 1 1th Floor 
Arlington, VA 22203-1808 
Telephone: (703)816-4000 
Facsimile: (703)816-4100 
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